Imagine you’ve installed the latest and greatest security system for your home—smart locks, cameras, motion detectors—the whole package. You sleep soundly at night, confident that nothing can get past your defenses. But what if a burglar figured out a way to slip past your security without triggering any alarms?
That’s exactly what happens in cybersecurity when an evasion is successful.
What Is an Evasion?
In cybersecurity, an evasion is a sneaky trick that allows attackers to slip past security measures undetected. Think of it like someone disguising themselves as a delivery driver to walk right through a guarded entrance. If a security product can’t recognize or stop an evasion, then all the protections it promises can be bypassed—making it effectively useless in that moment.
At CyberRatings.org, we rigorously test security products against evasions, focusing on two key areas:
- Network Layer Evasions (OSI Layers 3 and 4) – Attackers manipulate how data is sent across the network to avoid detection.
- Application Layer Evasions (OSI Layer 7) – Attackers disguise malicious content within legitimate-looking traffic to fool security products.
Network Layer Evasions: The Invisible Backdoor (Layers 3 & 4)
At the network level, data moves in packets—small chunks of information that get routed between devices. Security products like firewalls, intrusion prevention systems (IPS), and secure web gateways (SWG) inspect these packets to detect threats. However, what if attackers manipulate the way these packets are sent?
How Attackers Evade at This Level:
- Fragmentation: Breaking malicious payloads into tiny pieces across multiple packets, making it harder for security products to reassemble and recognize the threat.
- Traffic Spoofing: Making malicious traffic appear like normal web browsing, using tricks like fake source IPs, sending invalid packet formats, or mimicking trusted protocols.
- Obfuscation with Tunnels: Hiding malware traffic inside legitimate protocols (e.g., sending bad stuff over HTTPS or DNS).
Application Layer Evasions: The Master of Disguise (Layer 7)
At the application level, attackers take things up a notch. Instead of just manipulating how data moves, they manipulate what’s inside the data itself. This tricks security tools like web proxies, email security gateways, and endpoint security solutions into thinking the traffic is safe.
How Attackers Evade at This Level:
- Encoding and Encryption: Hiding malicious payloads inside harmless-looking data, like base64-encoded text or password-protected ZIP files.
- Polymorphic Malware: Changing the structure of the malware slightly with each attack to evade signature-based detection.
- User-Agent Spoofing: Making malicious traffic look like it’s coming from a trusted browser or application.
The Bigger the Evasion, the Bigger the Impact
The lower the OSI layer where an evasion happens, the broader the attack’s potential impact:
- Network layer evasions (Layers 3 & 4) allow attackers to bypass security at a fundamental level, enabling them to deliver any type of malicious traffic to their target. Since all modern applications rely on IP and TCP, this means an attacker could exploit vulnerabilities across a wide range of systems, from cloud services to enterprise apps.
- Application layer evasions (Layer 7) are more constrained because they only affect specific protocols, applications, or services. While they can be highly effective for targeted attacks, they depend on network-layer evasion techniques to ensure that the attack traffic reaches the target without being blocked.
A Better Way to Think About It:
- A network-layer evasion is like slipping through an unguarded side door of a skyscraper. Once inside, you can access any office or floor, allowing for a wide range of attacks.
- An application-layer evasion is like using a fake employee badge to enter a specific office. It only gets you into that department, meaning the impact is more focused on a particular application or system.
Why Evasion Testing Matters for Security Buyers
If you’re evaluating a firewall, secure web gateway, or SSE platform, don’t just look at feature lists—look at how well it handles evasions.
A security solution that fails against evasions is like a locked door with a hidden back entrance—it might look secure, but it’s easy to bypass.
This is why we test security products against real-world evasion techniques—so enterprises, IT teams, and decision-makers can choose solutions that actually stop threats instead of just looking good on paper.
Want to see how your security products hold up? Check out CyberRatings.org’s independent test results to find out!